Azure AD - missing roles claim in the token

Question

I've set up authentication through Azure Active Directory (AAD) and everything works fine (I receive my access and refresh tokens).

I've read about app roles and I would like to use them (for simplicity, let's assume I want to have Admin and User roles). I've followed the official documentation (which is missing the last part ..) here.

Unfortunately, the tokens don't contain the 'roles' claim.

Here is my setup in more detail:

1) I have Azure AD app called TestAuthApp and I added roles to the manifest

2) I assigned the roles

3) This is the url for login: https://login.microsoftonline.com/3926f5f4-ca60-46de-b9f8-72639d55232d/oauth2/authorize?client_id=fea5d169-5535-4a8c-ba61-bcb0b25129dd&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A1338%2Fauth

4) And this is the node.js code which handles the auth code and receives the tokens

5) Example of a returned access token for Test Joe (when you check it in jwt.io you see that roles claim is not present) eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImFQY3R3X29kdlJPb0VOZzNWb09sSWgydGlFcyIsImtpZCI6ImFQY3R3X29kdlJPb0VOZzNWb09sSWgydGlFcyJ9.eyJhdWQiOiIwMDAwMDAwMi0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8zOTI2ZjVmNC1jYTYwLTQ2ZGUtYjlmOC03MjYzOWQ1NTIzMmQvIiwiaWF0IjoxNTcxMjMxNjQwLCJuYmYiOjE1NzEyMzE2NDAsImV4cCI6MTU3MTIzNTU0MCwiYWNyIjoiMSIsImFpbyI6IjQyVmdZT0F5czRzdGFOclB0MFNtWUNOZllxamtuczNMcnpYLzhacTY1NjRXaTBuVXdwMEEiLCJhbXIiOlsicHdkIl0sImFwcGlkIjoiZmVhNWQxNjktNTUzNS00YThjLWJhNjEtYmNiMGIyNTEyOWRkIiwiYXBwaWRhY3IiOiIxIiwiaXBhZGRyIjoiOTQuMjMwLjE1MC40IiwibmFtZSI6IlRlc3QgSm9lIiwib2lkIjoiZDU3YjZlNjAtNzVhMC00ODM4LTllYmMtZWM1MzRkYjAyMTM0IiwicHVpZCI6IjEwMDMyMDAwNDhGOEMwNEQiLCJzY3AiOiJVc2VyLlJlYWQiLCJzdWIiOiJURllOclNGT01EcU5kRnBaY25YeGdoRm1GR2IteHFZN3Y2bDh6R1lhRGg4IiwidGVuYW50X3JlZ2lvbl9zY29wZSI6Ik5BIiwidGlkIjoiMzkyNmY1ZjQtY2E2MC00NmRlLWI5ZjgtNzI2MzlkNTUyMzJkIiwidW5pcXVlX25hbWUiOiJ0ZXN0am9lQHNlY3VyaXR5cG9jMTIzNC5vbm1pY3Jvc29mdC5jb20iLCJ1cG4iOiJ0ZXN0am9lQHNlY3VyaXR5cG9jMTIzNC5vbm1pY3Jvc29mdC5jb20iLCJ1dGkiOiJHQUJCYy1TaTBVbXZMMzVBRXk4V0FBIiwidmVyIjoiMS4wIn0.Z8gydgRzEqk9dZ_fxt67iZMwVqu708WrZWJf3_9ydgc9cV0HizECxXxeNuws6EtiQhLxnguOVYKq7s5R2V4AlquAnc75YaMn0mWhZXGEtuVT6T6tldy5GgrbDpJy9eU5Ismo5ppfkcGRkUoJ0lScHeXic1gQ_M_k44e-QXJtMMxr6JdPA9jqixuCMK-84TdbYC1RlJYM47PJfYttWoibI29XsoUU-0ucwcCB8hshZfQRU48LrTlCwmtB-p9rim6E7xLmBxaXMBo99N9AizGJj9jV-rr_bPGXpq8_CQsiF07cKJ51SWe8dbMpCwybKYVVoMc3rsazylKcJzxDp1rD4A

Answer 1

The token is an access token that is not for your app. The roles you are looking for should be in the id token.

The reason why I say that is because the audience is 00000002-0000-0000-c000-000000000000, which is a built-in API (can't recall which one though).